SOX Source Code

SOX Source Code

One of the internal controls that SOX is interested in auditing is the source code access process. This falls under one or two of the IT internal controls.

SOX Audit

To pass the required tests, the company must provide a source code access process that requires the owner of the code to approve access before granting it.

It also requires that only approved developers have write access to the source code and that those same developers do not have access to the application in production.

In addition, it requires a review, usually semi-annual, of the access to the code and an audit trail of this review.

If you can provide this evidence, you can pass this internal control test.


  • Prove there is a process for granting source control access
  • Provide regular access review to source code
  • Show how the process works
  • Provide user access lists

Sample SVN Access File

dev = mit\mjb, mit\bjl, umn\tjd
scm = mit\dearking, umn\stixrud

@dev = rw

@scm = rw

SOX Solution

  • Create and document a source code access process and follow it.

  • Periodically, review the users who have access, make the required modifications and show the audit trail.

  • Create source code owners who are responsible for source code access and review.

  • Document source code access request and approvals.

  • Provide documentation for SOX Auditors for tracking and Audit evidence proof.

    Best Practices
    • Use a reliable and dedicated server to house your code
    • Backup your code daily
    • Test your backup and restore processes
    • Choose a source control tool that fits your organization's requirements
    • Perform all tool specific administrative tasks
    • Keep your code repositories as clean as possible
    • Secure access to your code
    • Source Control Administration


    Definition of Information Technology Table of Contents

    Definition of Information Technology Definition of Information Technology describes the primary function of Information Technology. Along with the scope of IT Services and Technologies provides to the Information Technology Services Customers.

    Cloud Computing Cloud Computing is the use of Internet computer and software technologies to provide a variety of computer services. It is more than virtual servers. It is a way to increase capacity or add capabilities on the fly without investing in new infrastructure, training new personnel, or licensing new software. The name Cloud comes from the common diagram of the Internet as it is often depicted in computer network diagrams.

    Disaster Recovery The purpose of this page is to establish a standard for disaster recovery for systems, applications and their configurations.

    ITIL ITIL, Information Technology Infrastructure Library, is a set of best practices that support the delivery of Information Technology Services.

    ITIL V3 ITIL v3, Information Technology Infrastructure Library, is a set of best practices that support the delivery of Information Technology Services.

    Six Sigma Six Sigma seeks to identify and resolve the causes of defects and errors in engineering and business processes. It uses a set of quality management methods, including statistical methods, and creates a special infrastructure of people within the organization who are experts in these methods. Each Six Sigma project carried out within an organization follows a defined sequence of steps and has quantified financial targets.

    SOA Strategies SOA Strategies, the importance of IT articulating the value of its technology strategy to corporate decision makers, the correlation between architecture and successful business-driven initiatives such as cloud computing and software as a service, and how to avoid common architecture mistakes.

    SOX SOX, Sarbanes Oxley, reporting and testing requirements are mandating formal approvals and reviews of people who have access to application source code.

    SOX Source Code SOX Source Code how to maintain a SOX audit for source code control, you must maintain access control and provide an audit trail of access.

    SCMWise Software Configuration Management SCMWise is dedicated to SCM. This site is a central repository for the collection of best practices, processes, methodologies and tools that surround SCM.

  • SCMWise Configuration Spec

    © Copyright 2007 - 2017
    Powered by Site Build It!
    Page copy protected against web site content infringement by Copyscape's Privacy Policy
    ADD TO YOUR SOCIAL BOOKMARKS: add to BlinkBlink add to add to DiggDigg
    add to FurlFurl add to GoogleGoogle add to SimpySimpy add to SpurlSpurl Bookmark at TechnoratiTechnorati add to YahooY! MyWeb